BRING YOUR OWN DEVICE, BEWARE YOUR LOST DATA: TECH, TERRORS AND TRIALS

2014 Workplace Strategies Seminar

Presented by Ogletree Deakins |www.ogletreedeakins.com

For more information on employment law matters contact Ron Chapman at ron.chapman@ogletreedeakins.com

Pat Martin, Esq.; Lara de Leon, Esq. and Kim Lehman, Esq.

Technology Savvy Workforce Spurs BYOD Growth

iPhones, iPads, and Android smartphones are part of our everyday lives. Recognizing the potential for increased workplace flexibility and productivity, many employers have adopted policies that allow employees to use their own personal mobile devices to create, store, and transmit work-related data. These policies are referred to as “Bring Your Own Device” or BYOD. BYOD developed in part because mobile technology has become more affordable and easy to use. Employees increasingly have their own personal mobile devices, which they often prefer over any other device (e.g. their personal iPhone over the company issued Blackberry). Continued BYOD growth in the workplace is believed to be inevitable. Soon to be gone are the days of carrying around multiple mobile devices, and employees will tote only their own, preferred device. A 2012 survey sponsored by Trend Micro indicates that employees prefer companies that permit BYOD, and executives believe that BYOD programs positively influence productivity and creativity.

The upside of BYOD does not come without risk. While there is certainly overlap, BYOD poses some issues distinct from those where employers issue company cell phones, PDAs, laptops or the like. Because the employer does not own the device with BYOD, the employer cannot prohibit the device from being used for personal reasons, cannot automatically track and access the device, and cannot demand return of the device upon an employee’s departure. These are just some of the issues that pose challenges to employers.

This paper will address some of the potential pitfalls facing employers dealing with BYOD and discuss some practices and emerging technology available to help address these concerns.

I. Trade Secret Protection

Many employers have policies prohibiting the copying of company data to an employee’s personal device. Indeed, companies vigorously protect trade secret and proprietary information. The notion of company data being stored on or accessed through employees’ personal devices runs contrary to past practices. Employers need to consider the challenge BYOD poses to their ability to protect trade secret information. For some, the risk may simply be too great. Employers that handle particularly sensitive information or are highly regulated may decide that the risks of BYOD outweigh the benefits, and mandate the exclusive use of corporate devices. For others, addressing the issue by updating confidentiality agreements and obtaining prior written consent to delete company data from departing employees’ devices may be deemed sufficient protection. Some employers choose to restrict BYOD to specific classes of employees, or restrict the types of information accessible on personal devices. For example, an employer may permit employees to access their work e-mail on a personal mobile device, but not the employer’s larger network or document repository.

Takeaway: Employers should tailor BYOD policies to their specific intellectual property needs. At a minimum, employers should consider updating confidentiality agreements, and should also obtain written consent to delete company data from an employee’s personal device upon departure.

II. Complying With Confidentiality Obligations

Allowing company data to be stored and transmitted using devices and networks an employer may not control poses a risk to the security of information that may expose companies to liability. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires some industries to implement safeguards for protected health information maintained in electronic form. In fact, in 2012, a Massachusetts Health Care Provider and affiliated physician group paid $1.5 million to the federal government to resolve allegations that it violated the HIPAA security rule after a doctor’s laptop computer containing unencrypted patient data was stolen.

In addition to the myriad federal protections, individual states have promulgated a patchwork of laws protecting individual privacy, including laws that are specifically directed to protecting information online. For example, California has multiple statutory provisions designed to combat invasions of privacy both online and off, punishable by both criminal and civil penalties. In short, security breaches expose employers to government enforcement actions, civil penalties, and litigation. BYOD policies need to address these risks. Companies need to ensure they have legally defensible security measures in place to prevent unauthorized access to confidential information. At a minimum, employers should be able to demonstrate a considered and thorough approach to its BYOD policy and related data-security concerns.

Confidentiality policies and agreements are critical tools in combating confidentiality breaches, and in meting out consequences after the fact. Although confidentiality policies should be in place in any environment where proprietary information is shared, confidentiality agreements between employers and employees permit enforcement after the fact, that is, after the employment relationship has been severed and the employee is not clearly subject to the employer’s policies.

In addition to confidentiality policies and agreements, an employer should take, and be able to demonstrate, reasonable measures to protect confidential or other proprietary information. Company issued mobile devices or laptops often come loaded with security applications the company has vetted and that its IT department can support. If an employer wants to allow an employee to connect his or her own device to the company network to access company data, the employer needs to ensure similar security precautions are in place, and should obtain agreement to terms of use at its first opportunity. Any BYOD policy should require installation of security measures such as encryption software and require that the employee utilize strong passwords. Employees should also agree not to alter security settings.

The ability to delete or wipe data from a device remotely in the event of theft or loss is also a security essential. The BYOD policy should expressly require that employees promptly report a lost, stolen, or otherwise disabled device. An employer should also establish clear policies on the extent to which it will be able to access, monitor, and delete data on the employee’s personal device and whether, in specific circumstances, this may include the employee’s personal data. Employees should also be notified that they will be required to load software on their devices to allow for wiping, and that this could also wipe their personal photos, contacts, e-mails, and other software. Employers should have the employees sign a waiver consenting to wiping and holding the company harmless.

Takeaway: Employers should obtain written consent to install encryption and antivirus software and enable remote wiping capabilities. Employers may also want to consider revising mobile device security, password, and loss reporting policies.

For some employees, agreeing to such policies and consenting to remote wiping in the event the device is lost or stolen will be a deal-breaker. Nevertheless, employers need to implement necessary policies to protect their interests if employees wish to be permitted to use their own devices at work.

III. Investigations, Litigation, and Employee Privacy

The legality of accessing personal information on an employee’s personal device in the event of an investigation or lawsuit presents some of the thorniest issues related to BYOD. Courts have recognized that an employee has “no reasonable expectation of privacy” in computer files, e-mails, and electronic data maintained at his or her workplace. The tables may be turned, however, where an employee-owned portable device is at issue. The federal Computer Fraud and Abuse Act (CFAA) makes it a criminal offense to gain unauthorized access to a computer and may permit the recovery of civil damages. Several states have laws that specifically prohibit unauthorized computer access, and others have general statutes that permit prosecution for similar offenses. Accessing the employee’s personal device without prior written permission may subject the employer to liability. Therefore, at a minimum, employers should provide explicit notice to employees that the information on their devices, or even the devices themselves, may be discoverable in litigation and obtain prior written consent to access an employees’ device.

Consider the situation where a company is involved in litigation and an employee’s personal cell phone or tablet connected to work e-mail and other company servers may have relevant information that may need to be examined for evidence and compliance with the rules of discovery. When an individual employee owns or possesses their device, it may be difficult to actually obtain possession of the device – especially where the employee (or former employee) himself is the subject of the investigation. An employer may mitigate this concern by maintaining a comprehensive archive of all business-related communications and requiring employees to access the corporate network in order to perform business tasks on their personal device.

Takeaway: Employers should obtain prior written consent to access work data in the event of an investigation or litigation, and to copy the data for preservation to comply with discovery obligations.

Emerging “sandboxing” technology, which allows employers to split up personal and work data so that any system wipes or access requests impact only company information, is becoming more prevalent. Technology is also being developed which would allow only certain applications to be viewable by the company. These developments may eventually mitigate some of the risks.

Takeaway: Employers should keep an eye on emerging technologies, like sandboxing, and look into the cost-effectiveness of these products in order to help alleviate some of the privacy and security challenges of BYOD.

IV. BYOD – Dangers of Blurring the Line Between Work Life and Personal Life

Employers typically try not to tread on employees’ personal lives when crafting company policies. But where employees are using their own personal devices with company approval, the line can be blurred.

A. Equal Employment Opportunity Concerns

State and federal laws require employers to provide employees and prospective employees with equal employment opportunities. In particular, federal law prohibits discrimination and harassment based on race, color, national origin, sex and religion, veteran status, genetic information, pregnancy, age, and physical or mental disability. Employers also must maintain a workplace free of unlawful harassment, including a hostile work environment, based upon any protected characteristic. Employers should consider the danger that an employee may use his or her own personal device to view and/or exchange content that would violate company EEO policies. When that same device is brought into the workplace, the employee may not fully recognize the distinction between private and professional conduct. In other words, just because it is the employee’s own device does not make it acceptable to use it to view racially derogatory or sexually explicit content while at work, potentially creating a discriminatory or hostile work environment.

Takeaway: Any BYOD policy should contain a reminder that when utilizing personal devices for work purposes, employees are still subject to the company’s other policies, including Equal Employment Opportunity, and Non-Harassment Policies. Employers may also want to review their acceptable use policy.

An employer should also consider whether a personal device may be used in order to accommodate an employee with a qualifying disability under the ADA or state law. When the need to accommodate a disabled employee or potential employee arises, an employer should consider whether an employee’s own device could provide the needed assistance and whether the employer should purchase or otherwise support the device as a reasonable accommodation.

B. Wage and Hour Concerns

Another area of concern for employers permitting BYOD is in the wage and hour arena. The Fair Labor Standards Act (FLSA) is one of the oldest federal laws regulating the work environment dating back to 1938. The FLSA is administered and enforced by the Wage and Hour Division of the Department of Labor (DOL). All work that an employee is “suffered” or “permitted” to work must be compensated by the employer. Some work, defined as de minimis work (a few minutes or seconds here and there that are too inconsequential to worry about), does not have to be compensated. The de minimis standard is normally narrowly applied. The DOL has adopted regulations to help define what does and what does not count as time worked. Essentially, activities that an employee performs that are for the primary benefit of the employer constitute compensable work time. Interpreting the DOL’s enforcement position, courts have historically ruled that an employer is liable for off-the-clock work if the employer knew or should have known that the employee was working.

Working outside of one’s scheduled work time without pay is generally known as working “off-the-clock.” An employer’s failure to pay non-exempt employees for off-the-clock work is one of the more common violations of federal and state wage hour laws. Non-exempt employees’ use of PDAs, Blackberries, and remote online e-mail access from remote locations have increased worker productivity but have also substantially increased the risk of off-the-clock work violations. While some concerns apply equally to company-issued devices, potential off-the-clock work violations that should be considered in the BYOD context include:

1. Remote communications engaged in by non-exempt employees (Blackberry, cell phones, PDAs, or online e-mail access).

2. Remote work performed by non-exempt employees on laptops particularly where non-exempt employees are connecting remotely to the employer’s computer servers to perform compensable work time.

3. Being required to check or respond to voice mails or e-mails before or after an employee’s regularly scheduled workday commences or ends.

It is not unlawful under federal or state law for non-exempt employees to perform these activities outside their normally scheduled hours. What is unlawful is for non-exempt employees to perform these principal activities without the time being properly recorded and paid in accordance with federal and state minimum wage and overtime laws.

1. Off-the-Clock Communications

Employers may be tempted to rely on the de minimis rule when considering off-the-clock communications, but employers may find this a perilous proposition. To the extent that off-duty use of PDAs or other electronic devices is an “integral” part of the employee’s job, and is required or permitted by the employer, it is likely compensable. The only exception to this rule is if the time is “de minimis,” or of such short duration and frequency as to be no more than a trifle. As explained by the Supreme Court:

When the matter in issue concerns only a few seconds or minutes of work beyond the scheduled working hours, such trifles may be disregarded. Split-second absurdities are not justified by the actualities of working conditions or by the policy of the Fair Labor Standards Act. It is only when an employee is required to give up a substantial measure of his time and effort that compensable working time is involved.

Anderson v. Mt. Clemens Pottery Co., 328 U.S. 680 (1946).

There is no bright-line rule for what constitutes de minimis work, though the U.S. Circuit Courts of Appeal are essentially in accord that the relevant considerations are the administrative difficulty of recording additional time, the aggregate amount of a time, and the regularity of the additional work. Because BYOD involves an employee’s personal device, it is likely that the employee would have it with him when not working to stay in touch with personal contacts, and will check it frequently. If this occurs with regularity, employers run the risk that such contact will not be considered a “trifle.” Moreover, when an employee’s device connects to a company server or system, there may be a way for the company to monitor when this occurs making it possible for an employer to record or log the time. Such grey areas pose a risk that should be addressed. Simply stated, all time worked by non-exempt employees needs to be recorded.

Supervisors and managers need to know which non exempt employees are working remotely and ensure those employees are properly recording all hours worked. Moreover, if the supervisor or manager does not intend for work time outside an employee’s normal work hours to be compensated, the manager and supervisor need to avoid sending e-mails or leaving voice mails after hours for these employees, thus providing non exempt employees the opportunity to perform compensable work remotely outside their normal work hours. A September 2008 PEW Internet & American Life Project report determined that 50 percent of U.S. employees with access to business e mail, check their work e mails on weekends away from the office, and 34 percent also do so while on vacation. Employers should take steps to minimize off-the-clock concerns, including implementation of a clear off-the-clock policy requiring employees to record all time worked regardless of when and where the work occurred, and appropriate discipline of employees that violate the policy.

Takeaway: Employers should have a clear off-the-clock policy requiring all time be recorded. Employers may want to consider obtaining a written acknowledgement from the employee that all time will be recorded. Supervisors and managers should be properly trained. If non-exempt employees can remote into the company’s e-mail server after hours, the employer should periodically audit the server access reports to determine if non-exempt employees who are accessing the company server after hours are properly recording their work time.

2. “Clear and Free” Meal and Break Times

Interrupted meal breaks or meal breaks that do not last at least 30 minutes in duration constitute a unique form of off-the-clock work. Employers should ensure that non exempt employees’ meal breaks are not being interrupted by work-related e-mails and phone calls. Under federal law and most states’ laws, an employer is not required to give meal breaks. However, under the FLSA, if an employer does not wish to pay for a meal break for non exempt employees, the non exempt employees must be provided a meal break of at least 30 minutes. Additionally, the employee must be completely relieved of all duties during the meal break. Some states like California and New York have stringent meal and rest period rules, which if not followed, can expose employers to class actions, monetary damages and/or statutory penalties.

Violations of federal and state meal break laws occur when employees are interrupted and required to perform compensable work during their meal breaks. Since employees utilizing their own devices will likely want to leave their devices “on” for personal communications during meal times, employers need to make certain a BYOD policy informs non-exempt employees they should not read or respond to work e-mails and calls during break times.

Takeaway: BYOD policy should inform non-exempt employees that they should not read or respond to work e-mails during their meal and break times.

3. Leave of Absence

One situation applicable to both non-exempt and exempt employees involves addressing access to work-related e-mails where an employee is on a leave of absence (e.g. FMLA, disability, maternity/paternity). Because communications do not cease when an employee takes leave, employers must prevent employees from engaging in uncompensated work while out on leave. A policy that prohibits employees from working while on leave may be helpful, but has practical limitations, particularly where an employee receives notifications and alerts, or receives communications that call for a timely response. The optimal solution would be to disconnect the employee from employer networks for the period of the leave, or to redirect all communications to another employee in the first instance. This approach has the added benefit of maintaining the lines of communication between employer and employee for leave-associated communications. Whether or not an employee’s access is shut off while on leave, employees on leave should be reminded that they are not to access, read, or respond to work e-mails.

4. Expense Reimbursement

Expense reimbursement for employee use of personal devices creates another issue for employer consideration. Employers need to consider who will pay for data plans and monthly bills. In some instances, an employer may be obligated to purchase the device, particularly if it requests certain functionality in order to enable the employee to perform the job. Under the FLSA, employers must not permit an employee pay for employer business expenses if doing so will cause the employee’s earnings to fall below the required minimum wage or overtime requirements.

Several states have laws that that require employers to reimburse employees for certain business expenses. California, for example, expressly requires that employers reimburse employees for all necessary business-related expenditures. When an employer elects to reimburse employees for the use of their personal devices, determining the actual amount to be reimbursed poses challenges with bulk data and minute plans which are now commonplace. Employers must also consider the payroll and income tax implications of reimbursement plans. To the extent that an employee is reimbursed in an amount greater than the actual expense of using the device for business purposes, that over-payment must be reported as income for tax purposes. However, partial reimbursements may fail to adequately compensate employees and carry the risk of underpayment. Employers should carefully analyze the amount and manner in which they reimburse employees to minimize exposure under either scenario.

C. National Labor Relations Act Concerns

Under the National Labor Relations Act (“NLRA”) employees are free to engage in protected, concerted activity. Lately, the National Labor Relations Board (“NLRB”) has taken a keen interest in many common workplace policies, and has invalidated many of them under the rubric that they violate employees’ section 7 rights. These decisions have had a sweeping effect, and many apply to unionized and non-unionized employers alike. While the NLRB has not specifically reviewed a BYOD policy, it has developed a firm position on social media policies and other policies that purport to limit how employees communicate and what they can communicate about. For example, the NLRB recently struck down an employer policy that banned “negativity.” Any BYOD policy should therefore be carefully drafted and contain clear examples of the types of behavior prohibited, in order to avoid any potential labor issues.

V. Closing Thoughts

The risks and considerations identified above are just some of the issues employers utilizing BYOD should address. It is not exhaustive. Employers contemplating BYOD in a unionized environment face additional considerations. So do employers utilizing contract workers or analysts who may need access to a company server or network, even if for a limited period of time. BYOD presents many unforeseen challenges from what began as a way for employees to use their devices of choice when performing work. Employers need to think through potential consequences and plan accordingly in this increasingly tech-savvy society addicted to its devices.